Should I run npm install -g while the gateway is still running?

No—stop first to avoid file removal races on global installs; community reports show extended downtime when upgrading hot.

Why restart the gateway twice after some upgrades?

Stale Node module references can linger until a second clean restart; treat double restart as a documented workaround, not superstition.

How fast can I roll back?

If tarball restore takes under 3 minutes, keep nginx paused; if longer, fail over to a second region’s MacXCode node from pricing.

AI / Automation April 16, 2026

2026-04-16 OpenClaw Gateway Upgrade & Rollback on Headless Leased Cloud Mac

MacXCode Engineering Team April 16, 2026 ~15 min read

Shipping OpenClaw on a leased Apple Silicon Mac that only speaks SSH means upgrades are pure operations: no Finder click-trough, no “just restart the app.” This 2026-04-16 playbook covers ingress freeze, stop-before-npm sequencing, checksum backups of ~/.openclaw, version pinning (not blind @latest), validation with openclaw doctor, the occasional double gateway restart after global installs, and a tarball rollback under 3 minutes when builds go sideways—aligned with what operators report for npm-based gateways in 2026. Cross-link to environment variables & secrets (2026-04-15), health probes, and nginx ingress so the whole stack stays coherent across HK / JP / KR / SG / US.

Upgrade Risks Specific to Headless Gateways

Hot global npm — replacing files while Node still holds handles causes partial installs and “ghost” versions.
launchd overlap — a user LaunchAgent may respawn the gateway while you are mid-upgrade unless unloaded first.
Config drift — new minors may rename keys; keep a git-tracked export of openclaw.json minus secrets.
Webhook thundering herd — when you reopen nginx without readiness checks, partners retry aggressively—use probes from the health article.

Freeze Public Traffic First

On hosts using nginx reverse proxy, flip upstream to maintenance or return 503 with Retry-After: 90 while you work. Internal canaries on 127.0.0.1:18789 should still be reachable so you can validate before reopening the world.

Backup Matrix: What to Tar Before Touching npm

Path / artifact	Include?	Notes
`~/.openclaw` (or `$OPENCLAW_STATE_DIR`)	Always	Stop gateway first; verify gzip integrity with `shasum -a 256`
Global npm prefix tree	Optional	Capture `npm prefix -g` + `npm ls -g --depth=0` text for diffing
launchd plist	Always	Copy from `~/Library/LaunchAgents` into the same tarball folder

TS=$(date +%Y%m%d-%H%M) tar -czf "/Volumes/backups/openclaw-state-$TS.tgz" -C "$HOME" .openclaw shasum -a 256 "/Volumes/backups/openclaw-state-$TS.tgz" > "/Volumes/backups/openclaw-state-$TS.tgz.sha256"

Install & Pin: Treat Versions Like Database Migrations

Production gateways should track an explicit semver, e.g. 1.24.3, in your infra repo. CI may float slightly faster, but the Mac that faces partners in Singapore should not surprise you at 02:00 with a breaking plugin API. After stopping services:

npm install -g openclaw@1.24.3

Skew warning: some workflows update the CLI without restarting the gateway—always run openclaw gateway status and compare the reported build to openclaw --version; mismatch means you are mid-flight.

Validate, Restart, and When to Bounce Twice

Run openclaw doctor and capture stdout to your log shipper. Start the gateway via launchctl bootstrap/kickstart per your plist. If logs show stale module paths or odd require stacks, perform one additional clean stop/start cycle—document this so on-call does not assume flapping. Re-run synthetic checks from health probes before lifting nginx maintenance.

Timing budget: allocate 90 seconds of maintenance for minor semver bumps and 8–12 minutes for jumps that include native dependency rebuilds—communicate both numbers in status pages.

Rollback: Restore State, Not Hope

Stop gateway and nginx upstream again.
Remove broken global install if needed: npm rm -g openclaw then reinstall previous semver.
Expand tarball: tar -xzf openclaw-state-....tgz -C "$HOME" (confirm ownership).
Restore plist if it changed; launchctl bootout/bootstrap as required.
Verify doctor + internal curl; only then return 200 on public ingress.

Related Runbooks & Secrets Discipline

Upgrades touch the same files as secret rotation—coordinate with launchd env guidance so .env and plist keys stay consistent. If you add a second gateway user for blue/green, split OPENCLAW_STATE_DIR paths as described there. For capacity after repeated failures, add a witness node from pricing instead of endlessly patching one tired host.

FAQ: Gateway Upgrades on Cloud Macs

Question	Answer
pnpm instead of npm?	Supported—mirror the same stop/backup/pin/start discipline; record store path in runbooks.
Can I automate upgrades weekly?	Only with canary host + automated doctor + probe gates; never auto-upgrade production without humans on pager.
Where do I log incidents?	Use your existing bridge; correlate with structured logging fields.

Bottom line: treat OpenClaw upgrades like database failovers—freeze traffic, back up state, pin versions, validate twice, and rehearse rollback until muscle memory exists in every region you operate.

Run OpenClaw on dedicated M4 gateways

SSH-first · HK · JP · KR · SG · US

Lease a builder Deployment help